Zero trust strategy: Cloud security by design
The benefits of a security-first approach to cloud
As we have seen in the last 18 months, cloud opens the door to organizational agility on an unprecedented scale. But security is essential to take advantage of cloud’s potential. Accenture, with our size, scale and complexity, has experienced first-hand the power of cloud security.
Six years ago, Accenture initiated the move into the cloud. While our recent research has identified that security and compliance risk is seen as one of top two pain points of cloud adoption, we were clear from the outset that cloud security would be a critical component to supporting our business needs.
Moving from on-premise infrastructure where we had complete control, to collaborating in the cloud with vendors and needing to rely on their technology and environment was a big shift. Infrastructure and new service capabilities in the cloud are different; we couldn’t simply translate what we had on-premise directly into the cloud.
We needed to reimagine the approach to implementing our security model to harness the capabilities of cloud native solutions. We evolved core security guiding principles to meet the requirements of operating in the cloud. We redefined our security rules to flex around the updated cloud-based infrastructure. When we look at our security approach we think beyond just infrastructure to an application, data and code level as well.
Today, Accenture IT infrastructure runs in the hybrid cloud and is costing significantly less than our legacy delivery models. Our strategy was to be secure from the start, reframing our security in terms of cloud capabilities, which has helped us to see how our cloud solutions can support every element of security needed within the business.
Early on in our cloud continuum journey, we recognized the need to evolve our security practices to accommodate our core security values for the cloud. We wanted to be powered by software-defined, securing our application and infrastructure code from the start. We infused analytics that were behavior-driven, using automated artificial intelligence (AI) behavioral analytics to identify anomalies faster and with more accuracy when working across our cloud platforms. It was important to us to be cloud agnostic, fit for a multi-cloud environment, so that the security framework and principles apply to any cloud vendor with auditability.
What’s more we embedded robust defense, relying on multiple layers of security at varying depths: cloud, network, access, data and endpoints. We centered our strategy on a zero-trust approach, protecting every aspect of the cloud security journey by treating everything as untrusted. With the focus on zero trust, we followed an identity-centric approach, basing all access on identity where every request is explicitly verified.
We have taken a comprehensive view across the various components of operating in the cloud to create a truly holistic cloud security strategy. As we implement this transformational approach to security across a multi-cloud infrastructure, we can continue to enforce highly effective security policies, resources and services.
Here are some of our lessons learned around effective cloud security:
Going forward, to secure and manage access controls across a multi-cloud environment, we have our sights set on cross-platform alignment so that all identities align across all platforms and vendors. Using data as the key driver, our cloud security will continue to be comprehensive as our cloud capabilities grow across platforms.
And we want to discover new solutions and augment our security with AI for threat detection and machine learning to remediate our code to prevent potential vulnerabilities. This combined with our Prevent, Protect, Detect, and Recover strategy can strengthen our zero-trust imperative.
“There's some exciting things on the horizon. Having a more highly automated response is a powerful proposition and could reinvent cloud security as we know it.”
internal cloud applications being accessed by 624,000 employees.
events our security analytics tools evaluate per day from our cloud providers.
native cloud security controls with automated prevention.